Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2510084pxj; Mon, 10 May 2021 04:52:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzeyJw0zlF4pWqwWnE/g48JZBpRrweAhNlJK5bjx/67ixRj3OinRi5nagestvsPmpiXgHq7 X-Received: by 2002:a17:906:5285:: with SMTP id c5mr25048319ejm.282.1620647523174; Mon, 10 May 2021 04:52:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620647523; cv=none; d=google.com; s=arc-20160816; b=VLwvGCd7BjhawseLdDAPZvpYt9X5xR+Y2dl9vlCcdaxbdx+gCnt1REoLS1DhmsXJjE pXM8xGbEmYF/ED9BX6msGjfkXD9Xv5uouOPdTbeBtOraMcPhKUYIHRz8Sq8wU4rFaqm2 fompmbRFSRMRsC/47AhWMW982s4p2588/TLHLkh9Pu5a7xqKxEnXWqmQCu2vFeF+6SqN zAVgLzXdnhM6HCW3D4oiDLGq7N5Fcs68+T4kdNRtELnpUV70hdi4ZAdWZE3On8IXHIGL W54mQsvGQmKCJ4S/rFxTzciuQbsrlG+7731lcwyqO1oOYFsSbff/4KBOHk5l8+C/453L IcnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GI6qVZfJX+R2jb6S8i6/KvvGy1dHaPJ2QRg/nYQajxM=; b=jlwQrfBgv5SvbtIH4wEylRGOjGN4NN99Z5m23QziF03IZF98Io9KGLHqDmIuHH+VhD viZgDJfBMlh8CGK55Qy/2qSgEl2CwCGjh8iX/UOla3nTZlu5+ArnR1wi+McnL/vfUS3e y/Nn0SrFVXzFvMhNRqYld5GrgHNcAUgICNV+rTjVMRiwGxbMZoCQViPE2XkSJGUiyLaQ zy5Ux6NKCBAkuzCkFilHDpAW0UKSOjxipQWQwjpTXnIwPwH2Tfuf+umQmKwuRmO76IPy B+vJmb9ddg0/zRJB9vwkXoSSH7QhwTA2223I2kS8XOEMbQiuorlF46bQk8QPTOdzLSH9 5pfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eWL3NX+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m18si12423543edc.151.2021.05.10.04.51.36; Mon, 10 May 2021 04:52:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eWL3NX+C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242217AbhEJLlI (ORCPT + 99 others); Mon, 10 May 2021 07:41:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:52744 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235053AbhEJK5f (ORCPT ); Mon, 10 May 2021 06:57:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id EB4E661364; Mon, 10 May 2021 10:51:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620643896; bh=j5njG6kfjfeKS8Pe74lDvSoVoXEqAO/FDdLBo589vLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eWL3NX+CgYsF9byKzoF1b/T4bsO7nlVFB/rER0lk6h+j/h/liJRGk4xEl/l+kOTjB 4fGZ+zfmT60LNTFScsp4tnQJ3HazCf6Hwon7Yx8e0KAGzIEEjwa4RSeU29V465/HTK uIOop9ISQ2VtoOPSSluf0mevprbAXtmaSKn5olWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 5.11 203/342] media: tc358743: fix possible use-after-free in tc358743_remove() Date: Mon, 10 May 2021 12:19:53 +0200 Message-Id: <20210510102016.793550279@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510102010.096403571@linuxfoundation.org> References: <20210510102010.096403571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 831b5b54fd78..1b309bb743c7 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2193,7 +2193,7 @@ static int tc358743_remove(struct i2c_client *client) del_timer_sync(&state->timer); flush_work(&state->work_i2c_poll); } - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); cec_unregister_adapter(state->cec_adap); v4l2_async_unregister_subdev(sd); v4l2_device_unregister_subdev(sd); -- 2.30.2